Are You Prepared for the Latest Ransomware Tactics

Over the past year and a half, ransomware attacks have been an almost daily occurrence, affecting nearly everyone’s lives in some way, from school shutdowns to empty store shelves to prices at the pump. Ransomware has become like an epidemic inside a pandemic, and these attacks continue to grow in both frequency and sophistication. Modern ransomware tactics bear more resemblance to the attack techniques used by advanced nation-state attackers than they do to the simplistic malware attacks of years past.

Multi-extortion is the latest tactic to emerge in ransomware attacks. Instead of simply encrypting files and demanding a ransom in exchange for the decryption key, attackers now steal as much information as they can from the target. With gigabytes of sensitive data in hand, they threaten the target with the disclosure of sensitive customer information, product plans and other valuable business data unless they promptly pay the ransom.

Attackers are also increasingly sophisticated in their intrusion techniques. They no longer rely on the opportunistic approach of deploying malware on the internet and hoping to infect users who click the wrong link. Instead, they research prospective targets with deep pockets and then use a variety of approaches to gain access to the target’s network. Their arsenal includes sophisticated phishing attacks, technical attacks against the Remote Desktop Protocol (RDP) and even bribing insiders to grant them access to an organization’s network. Once they establish an initial foothold, they move around inside an organization’s network and download as much data as possible before triggering an encryption routine. 

Finally, modern attackers are paying particular attention to Internet of Things and operational technology deployments. In the wake of the Colonial Pipeline attack, they know that IoT and OT attacks against high-profile targets will generate a quick response — and often the speedy payment of a hefty ransom.

Organizations seeking to defend themselves against these emerging attacks should take steps to bolster their security defenses. Here’s the advice that I offer to my customers at CDW:

Backups provide organizations with a fallback should they lose control of their data. If an attacker encrypts their systems, backups allow the speedy recovery of data without paying a ransom. IT teams should be sure to use a redundant backup scheme such as the 3-2-1 strategy, in which an organization keeps at least three copies of its data in two different locations or media and at least one copy offsite. Backups should also be tested to ensure they work and can meet an organization’s recovery time and recovery point objectives.

Poorly defended endpoints give attackers an opportunity to gain a foothold on a network. Deploying next-generation anti-malware software and endpoint detection and response technology enables IT teams to protect their endpoints inside and outside an organization’s network.

You can’t secure assets if you don’t know that you have them.

Asset management forms the foundation of a modern cybersecurity program and is a prerequisite for comprehensive endpoint protection. 

Asset management programs inventory your IT hardware and help you track the security configuration of those systems to ensure they meet your security standards.

Password theft remains a major threat in today’s environment. Using multifactor authentication adds a layer of protection in the event of password theft, requiring that the attacker also gain control of a user’s phone or other authentication technology.

This emerging cybersecurity philosophy uses strong authentication to make decisions about access based on each user’s identity rather than his or her network destination. Secure access service edge solutions are a great way to integrate zero-trust access ideas into your current control stack. Even if you aren’t in a position to modernize your remote access approach, it is still important to review all your external network access. Internet-facing RDP continues to be one of the primary ways ransomware groups gain access to organizations’ networks.

IT teams can use firewalls and other security technologies to divide networks into smaller segments. This frustrates an attacker’s ability to move around on an organization’s network after an initial attack and limits the scope of the damage caused by a ransomware infection.

Modern attackers try to remain on an organization’s network for an extended period to gather and exfiltrate data across the internet to their own systems. A well-instrumented security operations center (SOC) may help IT teams detect this activity early and take action to contain the damage. A strong program should include controls from the “SOC visibility triad”: network detection, endpoint detection, and security information and event management logs. SIEM content should also be mapped to the Mitre ATT&CK framework to ensure that your SOC has visibility into the most common tactics, techniques and procedures.

Story by Walt Powell, an accomplished cybersecurity expert and executive coach who specializes in providing executive guidance around risk, governance, compliance and IT security strategies. He is the executive security strategist at CDW and prior to that served as a senior security advisor at Optiv and a virtual CISO at Left Brain Security. Through these roles, he has had the opportunity to learn from and contribute to hundreds of CISOs and their programs. Powell holds dozens of professional certifications including CISSP, CISM, Carnegie Mellon – Heinz CISO, and the Stanford Advanced Cybersecurity Certificate, along with countless technical and presales certifications from top security vendors. Powell is also an accomplished musician and father who loves to spend time with his kids.